Adobe Update is finally out, well, some of them

Published: 2009-03-11. Last Updated: 2009-03-11 21:45:25 UTC
by Joel Esler (Version: 2)
5 comment(s)

Thank you all that wrote in letting us know that the Adobe Update for Reader and Acrobat 9 is finally out.  Swa pointed this out in his diary right here.  However, I wanted to expand upon the update a little bit, because I still find it to be "wanting".

Adobe has named this release "9.1" for both Adobe Reader and Adobe 9 (Standard, Pro, and Pro Extended).  The patch is out for Windows and Macintosh only, however. 

Adobe says they plan for updates to Reader 7 and 8 and Acrobat 7 and 8 to be out by March 18th.  They also plan to make Adobe Reader 9.1 available for Unix by March 25th.

As a work around, Adobe says to refer to this post for a work around on how to disable Javascript so that you won't be affected, however, as our readers of the Internet Storm Center and the VRT Blog know, this is not a Javascript exploit, and you can still be exploited without javascript turned on!

So, Adobe did fix the issue for users of "9" on Windows and Mac, but the other platforms are still vulnerable.  If you are using Adobe 7 or 8, if you can update to 9.1, that would be for the best.

(Yes, I work for Sourcefire.)

-- Joel Esler http://www.joelesler.net

UPDATE

Couple of readers wrote to say that it appears that the update installs other Adobe applications as well, such as Adobe Air.

Another reader wrote to say that a lite version is available at ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/, but only as an EXE file (you'll have to create the MSI yourself if you want to use it for deployment).

-- Bojan

Keywords:
5 comment(s)

Comments

Another way to give your users a fighting chance is to de-integrate PDF from opening directly inside of Internet Explorer. Desktop antivirus will have a better chance to examine the PDF and the user may twig to something being wrong with an unexpected prompt to open a PDF when they are browsing the web.

http://www.kb.cert.org/vuls/id/666281
Nice idea!
Echo'ing Andrew's suggestion, you can use the PDF Download add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/636) to force the download of all PDFs instead of them opening inside your browser.
You can extract the msi and cab files from the exe.

See: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404146
And I can chip in that it took up to two days for Help, Update to work for interactive updates. I find that doing this will leave your preferences intact if you've removed Acrobat.com and AIR from your Adobe Reader. If you have removed these two and then launch the full installer, it will not respect your subsequent choice where you removed them via Add-Remove Control Panel and will do a full install and you will get Acrobat.com and AIR back again.

Diary Archives